Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)
|
|
- Ada Wright
- 8 years ago
- Views:
Transcription
1 Appendix 10 IT Security Implementation Guide For Information Management and Communication Support (IMCS)
2 10.1 Security Awareness Training As defined in NPR A, all contractor personnel with access to Government data, including off-site personnel supporting the contract shall complete security training annually as required to meet Agency IT security training and awareness requirements. The Contractor shall use the Government provided training systems to meet this annual security requirement Security Training All contractor individuals who perform tasks as a system administrator, or have authority to perform tasks normally performed by system administrator, shall be required to demonstrate knowledge appropriate to those tasks. This demonstration is referred to as the NASA System Administrator Security Certification using the Agency provided tools System and Application Life Cycle Requirements The contractor shall comply with NPR A, Chapter 5, System Development Life Cycle (SDLC), requirements during all phases of the Systems and Applications Life Cycle Security Risk Assessments and Design Reviews The contractor shall follow the NIST SP , Security Self-Assessment Guide for Information Technology Systems; NIST SP , Risk Management Guide for Information Technology Systems; and submit a completed security risk assessment on a design prior to the design being provided to NASA. Before or during official design reviews, the contractor shall provide design security risks, including possible s, to the system owner or data owner and OCSO. If the risks are accepted the life cycle may continue; otherwise, the life cycle shall halt or the design and/or s shall be modified until the risks and possible s are acceptable Security Reviews for New or Modified Hardware, Software, and Configurations The contractor shall provide a written risk assessment and security review for new or significantly modified hardware, software, or configurations, prior to deployment. The products reviewed shall be used as a basis to update IT Security Plans, as applicable. Prior to deployment, all risks shall be presented to the system owner, AO, and OCSO, separate from the security plan. If the hardware or software connects to other systems the risks shall be presented to the system owner or equivalents and OCSO of the interconnected systems for their information. Page 10-1 of 10-8
3 10.6 Minimum System Security Requirements Prior to connecting any new non-government provided computer system or equipment to the KSC Institutional Networks, the contractor shall: a. Comply FIPS PUB 199, FIPS PUB 200, and any relevant IT SOPs on certification and accreditation. b. Acknowledge all applicable NIST-SP controls. c. Complete the Privacy Impact Analysis (PIA). d. Comply with NPR A, IT Security Requirements. e. Install and configure Agency Security Update System (ASUS) or approved Agency Patching and Reporting System to Center specifications. f. Install and configure Agency Security Configuration Standards (ASCS) to Agency and Center specifications. g. Provide a NASA approved Certified System Administrator. h. Perform a vulnerability scan, mitigate findings, and document results. i. Provide NIST SP control acceptance and Plan of Action & Milestones (POA&M) list to be reviewed by the Center s Certification and Accreditation (C&A) Official. j. Draft Authorizing Official (AO) letter per NASA Authority to Operate (ATO) process. k. Submit the complete package of items a-j above to the Center ITSM for review. l. Upon completion of Center ITSM review, submit ATO package to the AO System Configuration Requirements For any computer system that is not managed by ODIN or its successor, the contractor shall: a. Meet the current and future requirements in the NASA-STD-2804, Minimum Interoperability Software Suite, and NASA-STD-2805, Minimum Hardware Configurations, for all computer systems, unless otherwise approved by the COTR. b. Configure non-nasa managed services desktop systems with the required standard application software suite, if applicable, to stay consistent across the Agency to Page 10-2 of 10-8
4 ensure that interoperability issues do not arise. The Government has defined a core standard application software suite that is loaded on all NASA managed services computers. c. Provide and maintain software that is defined in the current and future versions of NASA-STD d. Update the computer with new software versions, upgrades, modifications, and nonsecurity and non-bug related patches associated with the operation system and application software within 1 year of the latest release by the software vendor or by the date specified in the current and future versions of NASA-STD e. Once the contractor has tested the new release, present the test results and any impacts to associated applications then submit to the CCB in sufficient time to ensure roll out within 1 year of release or by the date specified in NASA-STD- 2804, unless otherwise specified by the COTR or designee. f. Configure regular virus scans on all computer systems which the contractor is responsible. g. Enable real-time file protection and schedule full virus scans no less frequently than weekly, unless otherwise defined in Center policies or directed by the COTR or designee. h. Configure automatic updates of virus signatures no less frequently than daily for desktops, unless otherwise defined in Center policies or directed by the COTR or designee. i. Configure, in addition to NASA-STD-2804, regular adware, spyware, and malware scans on all systems for which they are responsible, but not including servers. The contractor shall enable real-time system protection and schedule full adware and spyware scans no less frequently than weekly for any desktops, unless otherwise defined in Center policies Management and Operations Vulnerability Assessment and Remediation The contractor shall provide management control services to implement IT security at KSC. In performance of these services, the contractor shall: a. Participate in the Center-wide vulnerability scanning activity. The contractor shall mitigate vulnerabilities identified, track vulnerabilities and fixes, and report the statistics to the system owner, OCSO, and COTR or designee. Page 10-3 of 10-8
5 b. Obtain approval from the system owner, OCSO, and COTR for a temporary. For a medium or low vulnerability, the contractor may mitigate the vulnerability or present a researched recommendation that justifies accepting the risk. c. Evaluate, test, and implement of these services; depending on the assessed (critical, high, medium, or low) of a vulnerability, obtain system owner, OCSO, and COTR with the. d. Comply with the standard and expedited requirements in the Vulnerability Mitigation Requirements Table below. e. Notify the system owner, OCSO, and COTR when the vulnerability is mitigated and steps taken to mitigate the vulnerability. f. Obtain approval by the system owner, OCSO, and COTR for any deviation from the requirements. g. Submit a statistics report on a monthly basis for all vulnerabilities mitigated with their associated. A permanent is required for a critical or a high vulnerability; though in some cases a temporary may be necessary. Page 10-4 of 10-8
6 For High Categorization Systems: STANDARD 4 Hours 2 working 30 working EXPEDITED 2 hours 8 hours 8 working hours 2 working For Moderate Categorization Systems: STANDARD 1 working 1 30 working 30 working 40 working Page 10-5 of 10-8
7 For Moderate Categorization Systems: EXPEDITED 4 working hours 2 working 16 working hours For Low Categorization Systems: STANDARD 40 working 30 working 60 working EXPEDITED 1 working day 3 working Page 10-6 of 10-8
8 System Contingency Planning and Emergency Preparedness In addition to what is stated in NPR A, the contractor shall participate in contingency and Disaster Recovery (DR) planning, training, and testing in accordance with the current Center Contingency Plan, COOP, and system DR plan. In performance of these services, the contractor shall: a. At least annually train contingency teams in plan procedures and operations. b. At least annually develop, plan, and implement a contingency scenario test designed to validate the effectiveness of the assigned plan(s) to quickly restore IT operations and functionality in the event of a disaster. c. Deliver a lessons learned report from each test and use the results to update the IT Contingency Plan. d. Participate in Center DR operations, in the event the Center s plan is invoked, in accordance with the Center Contingency and DR Plan. System Monitoring In performance of these services, the contractor shall: a. Ensure equipment or device logging is enabled, review logs, and report anomalies to the KSC OCSO. b. Retain electronic archival copies of all logs and retain for one year with the exception of activity logs that shall be retained for three years. c. Perform all necessary support in the event of a Government-initiated investigation, Assessment, or Certification involving the contractor s team or the contractor s customers. d. Perform all services necessary to properly respond to NASA IT security bulletins or notices from the NASA Incident Response Center (NASIRC), or the NASA CIO that apply to any contractor-supported system or environment. e. Take necessary and/or immediate corrective actions on any system in response to these bulletins and notices, and notify the system owner, COTR, and OCSO of any suspicious activities per Center security procedures IT Security Reporting Requirements The contractor shall comply with reporting requirements set by the Federal Information Security Management Act (FISMA), the Office of Management and Budget (OMB), the Page 10-7 of 10-8
9 Office of the Inspector General (OIG), and the Center and Agency CIO as baseline and agreed to at the start of the contract period of performance. In performance of these services, the contractor shall: a. Report IT security incidents to the ITSM or designee(s) within one hour and shall follow the Center s documented IT security incident response procedures. b. Report using the format and content set forth in each Center s incident response report (Institutional Security Status). c. Report unexplained system anomalies that, in the judgment of the system administrator, may affect confidentiality of data or integrity of a system/data to the ITSM or designee within one hour. Such anomalies include, but are not limited to, unexplained change of directory or file permissions, unexplained installation, removal or starting/stopping of software, unexplained network traffic, unexplained unavailability of a production service, or any malicious activity. d. Provide all necessary assistance to the investigating team Distribution of Risks, Threats and Vulnerabilities The contractor shall encrypt all electronic transmissions and storage of sensitive but unclassified (SBU) information with the Agency approved encryption software and solutions Storage of System Documentation and Backup Media The contractor shall store duplicate copies of system documentation with the backup media, including updates at an off-site location secure from threats, in accordance the approved security plan Prohibition of Government Data The contractor shall not store, copy, or transfer NASA SBU data to any non-c&a system, in accordance with NPR A or for non-nasa system in accordance with NIST The contractor shall comply with OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, OMB Memorandum M-06-16, Protection of Sensitive Agency Information, and OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. Page 10-8 of 10-8
NASA Information Technology Requirement
NASA Information Technology Requirement NITR-2800-2 Effective Date: September 18,2009 Expiration Date: September 18, 2013 Email Services and Email Forwarding Responsible Office: OCIO/ Chief Information
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationFinal Audit Report -- CAUTION --
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management
More informationHow To Improve Nasa'S Security
DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL
More informationReview of the SEC s Systems Certification and Accreditation Process
Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy
More informationNIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
More informationReport of Evaluation OFFICE OF INSPECTOR GENERAL E-09-01. Tammy Rapp Auditor-in-Charge FARM CREDIT ADMINISTRATION
OFFICE OF INSPECTOR GENERAL Report of Evaluation OIG 2009 Evaluation of the Farm Credit Administration s Compliance with the Federal Information Security Management Act E-09-01 November 18, 2009 Tammy
More informationOFFICE OF INSPECTOR GENERAL
OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment Evaluation of U.S. Chemical Safety and Hazard Investigation Board s Compliance with the Federal Information Security Management
More informationFinal Audit Report. Report No. 4A-CI-OO-12-014
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S
More informationNOTICE: This publication is available at: http://www.nws.noaa.gov/directives/.
Department of Commerce National Oceanic & Atmospheric Administration National Weather Service NATIONAL WEATHER SERVICE Instruction 60-701 28 May 2012 Information Technology IT Security Assignment of Responsibilities
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationU.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management
More informationVA Office of Inspector General
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND
More informationHow To Check If Nasa Can Protect Itself From Hackers
SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration
More informationPrivacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015
For Person Authentication Service (PAS) Date: January 9, 2015 Point of Contact and Author: Hanan Abu Lebdeh Hanan.Abulebdeh@ed.gov System Owner: Ganesh Reddy Ganesh.Reddy@ed.gov Office of Federal Student
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationDepartment of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS
Department of Veterans Affairs VA Directive 6004 Washington, DC 20420 Transmittal Sheet September 28, 2009 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS 1. REASON FOR ISSUE: This Directive establishes
More informationPDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]
PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationReport of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.
OFFICE OF INSPECTOR GENERAL Report of Evaluation OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s Evaluation of the Farm Compliance Credit Administration s with the Federal Information
More informationVA Office of Inspector General
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2014 May 19, 2015 14-01820-355 ACRONYMS CRISP
More informationEvaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12
Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General
More informationPersonally Identifiable Information (PII) Breach Response Policy
Information Technology Requirement Personally Identifiable Information (PII) Breach Response Policy NITR-1382-1 Version Date: 20071213 Effective Date: 20071221 Expiration Date: 20091221 Responsible Office:
More informationCMS POLICY FOR THE INFORMATION SECURITY PROGRAM
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0
More informationInformation Technology Security Requirements Summary
Information Technology Security Requirements Summary 1. Background Investigation Contractor employees who will have access to federal information technology (IT) systems are subject to background investigations
More informationSecurity Language for IT Acquisition Efforts CIO-IT Security-09-48
Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason
More informationFISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
More informationOFFICE OF INSPECTOR GENERAL
U.S. CONSUMER PRODUCT SAFTEY COMMISSION OFFICE OF INSPECTOR GENERAL FY 2014 FEDERAL INFORMATION SECURITY MANAGEMENT ACT REVIEW REPORT Issued: 11/14/2014 This report conveys the results of the OIG s review
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act Report October 27, 2009 Reference Number: 2010-20-004 This
More informationU.S. CONSUMER PRODUCT SAFTEY COMMISSION OFFICE OF INSPECTOR GENERAL FY 2015 FEDERAL INFORMATION SECURITY MANAGEMENT ACT REVIEW REPORT
U.S. CONSUMER PRODUCT SAFTEY COMMISSION OFFICE OF INSPECTOR GENERAL FY 2015 FEDERAL INFORMATION SECURITY MANAGEMENT ACT REVIEW REPORT Issued: 12/8/2015 This report conveys the results of the OIG s review
More informationIT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
More informationSMITHSONIAN INSTITUTION
SMITHSONIAN INSTITUTION FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012 INDEPENDENT EVALUATION REPORT TABLE OF CONTENTS PURPOSE 1 BACKGROUND 1 OBJECTIVES, SCOPE, AND METHODOLOGY 2 SUMMARY OF RESULTS
More informationOffice of Inspector General
Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases
More informationDepartment of Veterans Affairs VA Handbook 6500. Information Security Program
Department of Veterans Affairs VA Handbook 6500 Washington, DC 20420 Transmittal Sheet September 18, 2007 Information Security Program 1. REASON FOR ISSUE: To provide specific procedures and establish
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationVA Office of Inspector General
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Modernization Act Audit for Fiscal Year 2015 March 15, 2016 15-01957-100 ACRONYMS
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationAudit of the Board s Information Security Program
Board of Governors of the Federal Reserve System Audit of the Board s Information Security Program Office of Inspector General November 2011 November 14, 2011 Board of Governors of the Federal Reserve
More informationAudit of the Department of State Information Security Program
UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program
More informationDEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE
DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 Washington, DC 20420 Transmittal Sheet March 22, 2010 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE 1. REASON FOR ISSUE: This
More information2014 Audit of the Board s Information Security Program
O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL
More informationFiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program Report.
More informationEPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015
Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM MAINTENANCE PROCEDURES V1.8 JULY 18, 2012 1. PURPOSE The purpose of this procedure
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationINSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES
INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES Report No.: ISD-IS-OCIO-0001-2014 June 2014 OFFICE OF INSPECTOR GENERAL U.S.DEPARTMENT OF THE INTERIOR Memorandum JUN 0 4 2014 To: From:
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. ELECTION ASSISTANCE COMMISSION EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationInformation Security for IT Administrators
Fiscal Year 2015 Information Security for IT Administrators Introduction Safeguarding the HHS Mission Information Security Program Management Enterprise Performance Life Cycle Enterprise Performance Life
More informationNASA Information Technology Requirement
NASA Information Technology Requirement NITR 2810-17 Effective Date: November 12, 2008 Expiration Date: May 16, 2011 System Maintenance Policy and Procedures Responsible Office: Office of the Chief Information
More informationCybersecurity Risk Management Activities Instructions Fiscal Year 2015
Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 An effective risk management program and compliance with the Federal Information Security Management Act (FISMA) requires the U.S.
More informationMission Assurance and Security Services
Mission Assurance and Security Services Dan Galik, Chief Federation of Tax Administrators Computer Security Officer Conference March 2007 Security, privacy and emergency preparedness issues are front page
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationNETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems
More informationOFFICIAL USE ONLY. Department of Energy. DATE: January 31, 2007 Audit Report Number: OAS-L-07-06
DOE F 1325.8 (08-93) United States Government Memorandum Department of Energy DATE: January 31, 2007 Audit Report Number: OAS-L-07-06 REPLY TO ATTN OF: SUBJECT: TO: IG-34 (A06TG041) Evaluation of the "Office
More informationIn Brief. Smithsonian Institution Office of the Inspector General. Smithsonian Institution Information Security Program
Smithsonian Institution Office of the Inspector General Smithsonian Institution In Brief Report Number A-11-05, May 15, 2012 Why We Did This Audit The Federal Information Security Management Act of 2002
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationDecember 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments
December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationNetwork Infrastructure - General Support System (NI-GSS) Privacy Impact Assessment (PIA)
Network Infrastructure - General Support System (NI-GSS) Privacy Impact Assessment (PIA) System Categorization: Moderate Version 1.5 May 30, 2013 Prepared by: Security & Compliance Services (SCS) and Infrastructure
More informationDepartment of Homeland Security
Evaluation of DHS Information Security Program for Fiscal Year 2013 OIG-14-09 November 2013 Washington, DC 20528 / www.oig.dhs.gov November 21, 2013 MEMORANDUM FOR: FROM: SUBJECT: Jeffrey Eisensmith Chief
More information5 FAH-8 H-351 CLOUD COMPUTING
5 FAH-8 H-350 CLOUD COMPUTING (Office of Origin: IRM/BMP) 5 FAH-8 H-351 CLOUD COMPUTING GOVERNANCE BOARD a. The Cloud Computing Governance Board (CCGB) exists to provide advice to the Authorizing Official
More informationFSIS DIRECTIVE 1306.3
UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS
More informationFortinet Solutions for Compliance Requirements
s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationSecurity Policy for External Customers
1 Purpose Security Policy for This security policy outlines the requirements for external agencies to gain access to the City of Fort Worth radio system. It also specifies the equipment, configuration
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationIT Security Handbook. Incident Response and Management: Targeted Collection of Electronic Data
IT Security Handbook Incident Response and Management: Targeted Collection of Electronic Data ITS HBK 2810.09 03 Effective Date: 20110824 Expiration Date: 20130824 Responsible Office: OCIO/ Deputy CIO
More informationSECURITY ASSESSMENT AND AUTHORIZATION
SECURITY ASSESSMENT AND AUTHORIZATION INFORMATION SYSTEM SECURITY ASSESSMENT AND AUTHORIZATION PROCESS CHAPTER 02 ITS-HBK-2810.02-02 HANDBOOK EFFECTIVE DATE: 20150201 EXPIRATION DATE: 20180201 RESPONSIBLE
More informationHomeland Security Virtual Assistance Center
for the Homeland Security Virtual Assistance Center November 3, 2008 Contact Point Donald M. Lumpkins National Preparedness Directorate (FEMA) (202) 786-9754 Reviewing Official Hugo Teufel III Chief Privacy
More informationAssessment of SEC s Continuous Monitoring Program
Appendix III Assessment of SEC s Continuous Monitoring Program August 11, 2011 Assessment and Review Conducted by C5i Federal, Inc. UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549
More informationSAMPLE IT CONTINGENCY PLAN FORMAT
SAMPLE IT CONTINGENCY PLAN FORMAT This sample format provides a template for preparing an information technology (IT) contingency plan. The template is intended to be used as a guide, and the Contingency
More informationChecklist to Assess Security in IT Contracts
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationFinal Audit Report -- CAUTION --
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of Information Systems General and Application Controls and Administrative Expense Review at
More informationISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
More informationStandard Operating Procedure
Standard Operating Procedure IT System Certification & Accreditation Process For Effective Date: 20080707 Expiration Date: 20110707 Responsible Office: Office of the Chief Information Officer Document
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationAudit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013
Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,
More informationCyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology
Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More informationNARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014
NARA s Information Security Program OIG Audit Report No. 15-01 October 27, 2014 Table of Contents Executive Summary... 3 Background... 4 Objectives, Scope, Methodology... 7 Audit Results... 8 Appendix
More informationGAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters
GAO United States Government Accountability Office Report to Congressional Requesters May 2010 INFORMATION SECURITY Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing GAO-10-513
More informationDepartment of Veterans Affairs
OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2010 May 12, 2011 10-01916-165 FISMA NIST OIG OMB POA&M ACRONYMS AND ABBREVIATIONS
More informationStandard Operating Procedure Contingency Planning Guidance
Standard Operating Procedure Contingency Planning Guidance Version Date: 20080702 Effective Date: 20080707 Expiration Date: 20110707 Responsible Office: Office of the Chief Information Officer 1 Document
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationOffice of Inspector General Independent Evaluation Report
Office of Inspector General Independent Evaluation Report Review of Federal Trade Commission Implementation of the Federal Information Security Management Act For Fiscal Year 2004 October 6, 2004 EVALUATION
More informationADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015.
ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015. This addendum is applicable to each purchase order that is subject to the State of Maryland s contract number 060B2490021-2015.
More informationAR 05-066. Office of Inspector General
AR 05-066 Office of Inspector General Review of Federal Information Security Management Act Corrective Actions for July 2004 March 31, 2005 OFFICE OF INSPECTOR GENERAL FEDERAL TRADE COMMlSSION WASHINGTON,
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationUnited States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)
for the United States Citizenship and Immigration Services (USCIS) June 22, 2007 Contact Point Harry Hopkins Office of Information Technology (OIT) (202) 272-8953 Reviewing Official Hugo Teufel III Chief
More informationREPORT ON FY 2006 FISMA AUDIT OF THE SMITHSONIAN INSTITUTION S INFORMATION SECURITY PROGRAM
REPORT ON FY 2006 FISMA AUDIT OF THE SMITHSONIAN INSTITUTION S INFORMATION SECURITY PROGRAM Cotton & Company LLP Auditors Advisors 635 Slaters Lane, 4 th Floor Alexandria, Virginia 22314 703.836.6701 www.cottoncpa.com
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More information